There are a bunch of places in the krb5 code (eg: the KDC location plugin lookup call) where we assume that a krb5_data containing realm strings have an extra NUL byte at the end which is not counted as part of the length. This allows the data field to be treated as a C strings. In krb5_get_cred_from_kdc_opt in the referrals case, krb5int_copy_data_contents is used to copy the new realm into the service principal. krb5int_copy_data_contents does not preserve the NUL-terminating byte and so a buffer overrun may occur.